Vulnerability Assessment

It is not a matter of if an attack will occur, but a matter of when. The most important asset of an organization is its data.

Determine the Assets to be protected.

The 2 most common assets are people and physical assets.

Create an inventory of the IT Assets.

Next, determine the value of each Asset.

The questions to ask are:

How much revenue does the asset generate?

How difficult is it to replace the asset?

What impact does the loss of the asset has on the organization?

Category of Threat Example

Natural Disaster Fire, flood, hurricane, destroys data

Compromise of Intellectual property Copyrights, or pirated software

Espionage Spy steal production schedule

Extortion Mail clerk is blackmailed into intercepting mails

Hardware failure or error Firewall blocks all network traffic

Human Errors Employee drops laptops in public space

Sabotage or Vandalism Attackers implants worms that erase files

Software attacks Virus, Worm, DDoS, compromise hardware or software

Technical Obsolescence Programs does not function under new version of operating System

Theft Desktops system are stolen from unlocked rooms

Utility interruption Electrical power is cut off

Threat Modeling is used to understand:

1. Who the attackers are.
2. Why they attack.
3. What types of attacks can occur.

Human error threat to a network hardware device includes:

1. Improperly installed Firmware that prevents users from accessing the device.
2. Incorrect configuration stops the device from functioning properly.
3. Administrator provides access to an unauthorized user.

Vulnerability assessment must be conducted by a team of diverse members not 1 person.

Risk Assessment determines the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization.

Loss of wireless connectivity in the cafeteria is a temporary inconvenience, but does not affect production.

Risk Calculation Formulas are:

1. Single Loss Expectancy (SLE) the money lost every time a risk occurs.

It is a product of Asset Value (AV) and Exposure Factor (EF).

EF is the % of the AV destroyed by a particular risk.

               SLE = AV * EF.

1. Annualized Loss Expectancy (ALE) is the expected loss over 1 year.

It is a product of SLE and Annualized Rate of Occurrence (ARO) in a year.

               ALE = SLE * ARO

Next, estimate the probability of the vulnerability actually occurring.

Either use statistical analysis or guess.

The scale is 1 to 10, 10 being very likely.

Final step is to determine what to do about the risk or Risk Mitigation.

Risks cannot be entirely eliminated.

The question to ask is, “How much acceptable risk can we tolerate?”

When confronted with risk the 3 options are:

1. Take Proactive Steps to diminish the risk.
2. Transfer the Risk by outsourcing the service or product to mitigate the risk.

Outsource the creation, maintenance and management of the Web Server.

1. Purchase Insurance and reduce the cost by accepting a deductible.

Retained Risk = (Cost of the asset – Insurance coverage)

Instead of purchasing insurance, join a Risk Retention Pool.

No premiums are paid, but losses are assessed by all members of the group.

The final approach is to accept the risk if the advantages outweigh the disadvantages.

Providing Smartphones to employees is risky, because employee can lose the phone with company data.

But, if employees do not have Smartphones, there will be loss of revenue.

Therefore, accept the risk and provide Smartphones to employees.

Most property and risks are not insured against war.

The risk is too large to be insured.

Therefore, some risks have to be accepted.

Some risks cannot be diminished or transferred.

Techniques used in Vulnerability Assessment are:

1. Baseline Reporting
2. Techniques associated with Application Development

Usually Baseline refers to the Initial Value.

In Networking, the Baseline is recorded when a New Network System is installed and running smoothly.

In IT security, the Initial Value is not the current state of the system.

Initial Value is the standard against which the current state is compared.

Baseline Reporting is a comparison of the present state of a system compared to its baseline.

Differences in technical, management and operational issues must be noted and addressed.

Deviations from the Baseline may not be harmful.

The deviation (difference) might be appropriate for the system.

The differences must:

1. Noted
2. Evaluated
3. Documented

Flaws in OS, Applications and Utility programs are an attacker’s ally.

Software vulnerabilities must be minimized during software development not via patches later.

Errors in design and coding errors cause the software to function differently from the intended behavior.

Minimizing software errors is difficult for the following reasons:

1. Size and complexity of the software.
2. Lack of formal specification.
3. Future attacks – methods of attacks are constantly evolving and cannot be predicted.

Assessment techniques in software development to minimize vulnerabilities are:

1. Requirements – Lists the required features and quality maintenance requirements.

Understanding the hardware and software architecture and how they interact minimizes design flaws and hence reduces attacks.

1. Design – before codes are written, key personnel from different levels of the project conduct Design Review.

Some software developers employ Security Consultants from the inception of the project to assist in the creation of a secure application.

1. Implementation – while the codes are written it is reviewed by multiple reviewers.

Attack Surface is also examined at this time.

Limiting Attack Surface includes:

3.1  Validating user input

3.2  Reducing the amount of codes running to a minimum

3.3  Eliminating or restricting Services invoked by the software

1. Verification – Errors or “Bugs” are identified and corrected.
2. Release – software is shipped.
3. Support – vulnerabilities are uncovered, security updates are created and distributed.

Linus Torvalds Law: “Given enough eyeballs, all bugs are shallow”

Tools available for Vulnerability Assessment are:

1. Port Scanners
2. Protocol Analyzers
3. Vulnerability Scanners
4. Honey-pots
5. Honey-nets

The Vulnerability Assessment Tools can also be used by Attackers to uncover vulnerabilities.

Logical Ports are allocated a Number called Port Number to identify a service or program.

Physical Ports are interfaces (USB Port) on a controller card or a PC.

A Port Number is 16-bit long and Port Numbers range from 0 to 65,535 (=216).

Well-known Port Numbers (0 to 1,023)                                                                  – reserved for Universal Applications

Registered Port Numbers (1,024 to 49,151)                                                         – used by other Applications

Dynamic and Private Port Numbers (49,152 to 65,535)   – available for use by any Application

Port Scanner software can search a system for any Port Vulnerabilities.

Port Scanners are used to determine the State of the Port to know what Applications are running and could be exploited.

Port States are:

1. Open – means the application or service is listening on that Port for instructions.
2. Closed – no process is listening on this port. All connections are denied access.
3. Blocked – host system will not reply to any queries to this Port Number.

Protocol Analyzer or Sniffer is hardware or software that captures packets to decode and analyze its contents.

Protocol Analyzer can be used to:

1. Troubleshoot Network – detect and diagnose addressing errors and protocol configuration errors.
2. Network traffic characterization – to fine-tune the network and manage bandwidth.
3. Security Analysis – DoS and other attacks can be detected by examining the network traffic.

Protocol Analyzer puts the Network Interface Card (NIC) in Promiscuous Mode.

In Promiscuous Mode, the NIC displays all the Network Traffic (Packets).

Protocol Analyzer is a great tool for the attacker.

Vulnerability Scanners maintain a database that categorizes and describes all the detected vulnerabilities.

Vulnerability Scanners can:

1. Alert when new systems are added to the network.
2. Detect when an application is compromised or subverted.
3. Detect when an internal system begins to port scan other systems.
4. Detect which ports are served and which ports are browsed for each system.
5. Identify which application and servers host or transmit sensitive data.
6. Maintain a log of all interactive network sessions.
7. Passively determine the type of OS of each active system.
8. Track all client and server application vulnerabilities.
9. Track which system communicates with other internal systems.

Open Vulnerability and Assessment Language (OVAL) is a “common language” for the exchanging of data collected by Security Vulnerability software.

OVAL vulnerability definitions are recorded in XML

Honey-pot:

1. Is a PC.
2. Located in the DMZ (De Militarized Zone) – partially secure location.
3. Containing imitations of real data files.
4. Configured with vulnerabilities.
5. To attract Attackers.
6. Used to learn techniques used by Attackers.
7. Divert attention from the real servers.

Honey-net:

1. Similar to Honey-pot.
2. Is a Network with intentional vulnerabilities.
3. Contains 1 or more Honey-pots.

Vulnerability Assessment procedures are:

1. Vulnerability Scanning
2. Penetration Testing

Vulnerability Scan is an automated software scan (search) of known security vulnerabilities (weaknesses) that creates a report of those potential exposures.

 The report can be compared against a baseline scan for any changes.

Vulnerability Scan should be conducted when new technology equipment is deployed.

Vulnerability Scan:

1. Is performed from inside the security perimeter.
2. Is not meant to disrupt normal operation of network devices.
3. Is a passive test.
4. Testing can be done by anyone, but the analysis of the report must be done by a trained person.
5. Must be conducted at least once a month.

Penetration Testing (Pentest) is designed to exploit any weakness in the system.

Penetration Testing:

1. Relies on the skill, knowledge and cunning of the tester (not automated software).
2. Tester is an outside contractor/consultant.
3. Tester works on the outside (not inside) the security perimeter.
4. Might interrupt the operation of the network (not passive testing).
5. Report focuses on what data was compromised, how and why.
6. Report may suggest solutions, but the organization must find its own solution.

Techniques used by the Penetration Tester:

1. Black box test – tester has no prior knowledge of the network.

Social Engineering tricks can be used to learn about the infrastructure.

1. White Box test – tester has complete knowledge of the network to be penetrated.
2. Gray Box test – tester has limited knowledge of the network to be penetrated.

Security Administrator Tool for Analyzing Networks (SATAN) requires no advanced technical knowledge for penetration testing.

Techniques used to mitigate attacks are:

1. Security Posture.
2. Configuring Controls.
3. Hardening.
4. Reporting.

Some view security as a nuisance to be tolerated.

Others regard security as essential for its survival.

This is the security posture (approach or philosophy).

Elements that make up a Security Posture are:

1. Initial Baseline Configuration.

Baseline is a standard security checklist used to evaluate a Security Posture.

Baseline outlines the major security considerations for a system.

It is the starting point for a solid security.

1. Continuous Security Monitoring provides information about the current state of preparedness.
2. Remediation is a plan to address the vulnerabilities before they are exploited by attackers.

Proper Controls mitigate and deter attacks.

A Closed Circuit TV (CCTV) is a control but it cannot prevent an attack.

A security guard at the entrance could prevent an attack.

Does safety take priority over security?

If the power fails, an electromagnetic door can prevent people escaping a building on fire.

A Fail-open Lock will open the door even if power fails.

A Fail-safe (Fail-secure) Lock will not open if the power fails.

Fail-safe Firewall will close the program or even stop the OS to prevent any malicious activity.

Fail-open Firewall will permit traffic in and out and open the system to attacks.

Hardening eliminates as many risks as possible and makes the system more secure.

Types of Hardening techniques are:

1. Protecting User Accounts with Passwords.
2. Disabling unnecessary User Accounts.
3. Disabling unnecessary Services.
4. Protecting management interfaces and applications.

Reporting can take the form of Alarms or Alerts.

Reports on trends can indicate a serious impending situation.

A trend report may indicate that multiple user accounts are experiencing multiple password attempts.